Java Certificate: HTTPS vs. SSL

Source: Internet
Author: User
Tags ssl connection

 

When connection is obtained, it will still verify that the server's certificate is trusted (issued by the Authority or signed by the Authority), as is the case with normal browser access, and if the server-side certificate is not trusted, the default implementation is problematic, in general, Java often reports an error when accessing SSL links:

Javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX Path Building failed: Sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target
At Com.sun.net.ssl.internal.ssl.Alerts.getSSLException (alerts.java:174)
At Com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal (sslsocketimpl.java:1591)
At Com.sun.net.ssl.internal.ssl.Handshaker.fatalSE (handshaker.java:187)
At Com.sun.net.ssl.internal.ssl.Handshaker.fatalSE (handshaker.java:181)
At Com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate (clienthandshaker.java:975)
At Com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage (clienthandshaker.java:123)
At Com.sun.net.ssl.internal.ssl.Handshaker.processLoop (handshaker.java:516)
At Com.sun.net.ssl.internal.ssl.Handshaker.process_record (handshaker.java:454)
At Com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord (sslsocketimpl.java:884)
At Com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake (sslsocketimpl.java:1096)
At Com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake (sslsocketimpl.java:1123)
At Com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake (sslsocketimpl.java:1107)
At Sun.net.www.protocol.https.HttpsClient.afterConnect (httpsclient.java:405)
At Sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect ( abstractdelegatehttpsurlconnection.java:166)
At Sun.net.www.protocol.https.HttpsURLConnectionImpl.connect (httpsurlconnectionimpl.java:133)
At Com.wenhq.http.TestSSL.testAig (testssl.java:21)
At Com.wenhq.http.TestSSL.main (testssl.java:13)
caused By:sun.security.validator.ValidatorException:PKIX path building failed: Sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target
At Sun.security.validator.PKIXValidator.doBuild (pkixvalidator.java:285)
At Sun.security.validator.PKIXValidator.engineValidate (pkixvalidator.java:191)
At Sun.security.validator.Validator.validate (validator.java:218)
At Com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate (x509trustmanagerimpl.java:126)
At com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted (x509trustmanagerimpl.java:209)
At com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted (x509trustmanagerimpl.java:249)
At Com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate (clienthandshaker.java:954)
... More
caused By:sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to Requested target
At Sun.security.provider.certpath.SunCertPathBuilder.engineBuild (suncertpathbuilder.java:174)
At Java.security.cert.CertPathBuilder.build (certpathbuilder.java:238)
At Sun.security.validator.PKIXValidator.doBuild (pkixvalidator.java:280)

The reason is the exception that occurs when a trusted security certificate is missing.

When the client makes an SSL connection, Jsse determines whether to trust the server-side certificate based on the certificate in the file. In Sunjsse, there is a trust manager class responsible for deciding whether to trust the remote certificate, which has the following processing rules:
1) If the system attribute javax.net.sll.trustStore specifies the Truststore file, then trust manager will go to the lib/security/directory under the JRE installation path to look for and use this file to check the certificate.
2) If the system attribute does not specify the Truststore file, it will go to the JRE installation path to find the default Truststore file, the relative path of this file is: Lib/security/jssecacerts.
3) If Jssecacerts does not exist, but cacerts exists (it is released with J2SDK with a limited number of trusted basic certificates), then this default Truststore file is Lib/security/cacerts.

You can add trust certificates to Java in the following ways:
1. The CER format file that exports the certificate from the Chrome browser;



2. Import the CER certificate into the Java certificate Trust library
D:\Program files\java\jdk1.6.0_07\bin>keytool-import-keystore jssecacerts-file Purchase.cer-alias Purchase

Enter KeyStore Password: Changeit
Enter the new password again: Changeit

Keytool Usage Summary

3, put the generated jssecacerts file into the $javahome\jdk1.6.0_07\jre\lib\security directory can be.

Java Certificate: HTTPS vs. SSL

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.